Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22474

Crumb must be sent with POST requests even when using authentication token

      If you are making a POST request from a tool like curl, and Jenkins is configured with a CrumbIssuer, you are required to obtain and pass back a valid crumb (preferably as an HTTP header) even when you are using an API token. This seems unnecessary, since the purpose of crumbs is to defend against CSRF attacks, which are possible only when the victim has a Jenkins session cookie in a browser or some browserlike client and unwittingly makes an HTTP request instigated by the attacker. But a request using basic authentication with an API token could not have come from such a client—you would not try to log in using an API token rather than using security realm-specific means, and in fact you cannot do so unless Jenkins sent a 401 response with a WWW-Authenticate header, which it almost never does.

      (loginError.jelly includes a 401 response without that header, which is probably wrong. BasicAuthenticationFilter, used with the legacy security realm, does send the challenge, though this does not seem to let you actually log in using an API token either—only pass through, like ApiTokenFilter would do.)

      Assuming that it is true that you cannot get a login session using an API token even if you tried, I would suggest that CrumbFilter check for req.getAttribute(ApiTokenProperty.class.getName()) instanceof User, which would be true if ApiTokenFilter has already run successfully, and in this case do nothing. (Or, for better modularity, ApiTokenFilter could implement a CrumbExclusion.) This would make the REST API significantly easier to use.

          [JENKINS-22474] Crumb must be sent with POST requests even when using authentication token

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-25637 [ JENKINS-25637 ]
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-18114 [ JENKINS-18114 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 154575 ] New: JNJira + In-Review [ 178846 ]

          Jesse Glick added a comment -

          Best if tokens are not retrievable, so there is no risk of /me/configure being retrieved by a cross-site script.

          Jesse Glick added a comment - Best if tokens are not retrievable, so there is no risk of /me/configure being retrieved by a cross-site script.
          Jesse Glick made changes -
          Link New: This issue depends on JENKINS-32776 [ JENKINS-32776 ]
          Nicolai Ehemann made changes -
          Link New: This issue is duplicated by JENKINS-37498 [ JENKINS-37498 ]
          Wadeck Follonier made changes -
          Assignee New: Wadeck Follonier [ wfollonier ]
          Wadeck Follonier made changes -
          Remote Link New: This issue links to "#3129 (jenkins-core) (Web Link)" [ 17992 ]

          As the ApiTokenFilter is deprecated now, I do the attribute setting in BasicHeaderApiTokenAuthenticator after having check the API Token.

          Concerning the retrievability, it will be addressed in JENKINS-32776.

          Wadeck Follonier added a comment - As the ApiTokenFilter is deprecated now, I do the attribute setting in BasicHeaderApiTokenAuthenticator after having check the API Token. Concerning the retrievability, it will be addressed in JENKINS-32776 .

            wfollonier Wadeck Follonier
            jglick Jesse Glick
            Votes:
            6 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: